Compliance

The first tranche of Australian privacy law reform has been passed by the Australian government and will come into effect within days. This reform further increases the range and type of penalties that Australia can enforce for non-compliance with local privacy law and introduces changes which businesses will need to action.Continue Reading First Tranche of Reforms to Australian Privacy Law Passed with Amendments

Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

Court Ruling in China on Personal Data

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

In September 2024, the Guangzhou Internet Court released its ruling on a civil dispute that was originally issued in September 2023, involving the transfer of personal data outside mainland China. This judgment is reportedly the first judicial judgment on cross-border data transfers.

In this case, an international hotel group based in France, as the defendant, was found liable for illegally transferring the personal data of the plaintiff, an individual Chinese customer, to third parties outside of China for the purpose of marketing, without obtaining the customer’s separate consent prior to providing the data.Continue Reading Court Ruling in China on Personal Data Transfer by International Hotel Chain

The ICO has fined the Police Service of Northern Ireland (“PSNI”) £750,000 in what it has described as the “most significant data breach that has ever occurred in the history of UK policing[1]. The ICO imposed the largest ever fine on a public body following the unauthorised disclosure of an Excel spreadsheet containing the personal data of 9,483 police officers and staff. Given the ICO’s stated policy for public authorities is for enforcement to act as a deterrent and to remedy data breaches through reprimands and enforcement notices, with the use of fines reserved for the most egregious cases, it is, at first glance at least, surprising to see the level of fine imposed. The fine comes with a word of warning to private sector data controllers that they would not have benefited from the reduction afforded to public sector enforcement and could have faced a fine of up to £17.5 million.

Background

On 3 August 2023, the PSNI received two Freedom of Information (FOI) requests from the website WhatDoTheyKnow (WDTK) requesting details of the number of officers and staff at each rank or grade. This data was compiled by the PSNI’s Workforce Planning Team by downloading and editing existing HR Excel spreadsheets. After preparation, the responsive spreadsheet was sent to the Head of the Workforce Planning Team for quality assurance checks. Once reviewed, it was forwarded to the FOI Decision Maker, who chose to disclose the Excel file in its original format rather than convert it to a Word document, due to technical issues.Continue Reading Data Breaches and Spreadsheets: How to Avoid Fines When Excelling

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB’s Privacy Team for Two Strafford Webinars in December

Cancel Culture: New Requirements for Automatic Renewal and Other Negative

This December, SPB’s Privacy Group leader Alan Friel, partner Julia Jacobson and associate Gicel Tomimbang are set to present two must-see Strafford CLE webinars. Each session will offer practical guidance on data privacy compliance, from US state-specific requirements to international standards.Continue Reading Join SPB’s Privacy Team for Two Strafford Webinars in December

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and Final FTC Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers